Internet routing and data security: the latest from the industry

The North American Network Operators' Group (NANOG) conference has been running three times a year since 1994. I attended my first NANOG conference in February of last year, and found the content, and especially the people, to be awesome (being hosted in Orlando certainly helped). I was able to meet people who pretty much run the core of the Internet: Tier 1 ISPs, Domain Name Registrars, vendors and developers. The mood was great, and although most attendees are technically competitors, they all know they are there to make the Internet work better.

I have stumbled upon NANOG presentations before when researching an issue or a new technology, and it was usually the best resource I could find. This was equally true for NANOG 57, which took place last month. I attended great technical presentations and also a peering track where experts discussed the challenges of modern Internet peering.

But I would like to focus here on two very prescient topics: Domain Name Systems (DNS) and Internet Exchange Route Servers.

Domain Name Systems

At first, I was surprised to see a DNS talk at NANOG. I mean, they have been meeting since 1994, how can they still have interest in DNS? But it only took me a minute to understand why: Domain Name System Security Extensions (DNSSEC)! This is the new DNS standard that adds a layer of security to the inherently unsecure DNS protocol. I thought, 'This is great, the speaker will show that everybody should be adopting it without blinking.'

Well, not quite. It turns out that DNSSEC is a big Distributed Denial-of-Service (DDOS) amplification vector. Sending a few spoofed UDP packets towards a Top-Level Domain (TLD) maintainer makes the servers send large amounts of data to anyone the attacker wants. This happens because a small DNSSEC query creates a huge reply with all cryptographic keys in it. Now I understand why it was so important to have a DNS talk: it was showing how to prevent DNSSEC DDOS amplification attacks! What was supposed to be a security improvement to an essential Internet service quickly became a source of a DDOS, which is a different security issue.

And it seems there is no easy way out. The two proposed solutions demand full community efforts. The first, BCP38 (an IETF best practice about filtering spoofed packets), will only really work when every ISP implements it. And we are far away from this happening, although everybody should start doing it right away! The other solution, DNSSEC response rate-limiting, needs to be implemented by every DNSSEC servers in order to be effective. So yes, the NANOG community was the perfect place to bring awareness to this issue.

Internet Exchange Route Servers: BIRD

The other interesting talk was on the popular BIRD routing software. The presentation focused mainly on the Border Gateway Protocol (BGP) route server features used in Internet Exchanges. One of the main developers, Ondrej Filip, CEO of the CZ.NIC association, was on stage to explain how it works.

In my opinion, the most interesting update was about a new feature for route filtering. The 'issue' is that BGP only re-advertises the best route it has, which works great for 99% of people. But in an Internet Exchange environment, you want to give people the ability to peer with the route server and send/receive routes to/from everybody that is also peering with it. That works fine until people start asking for filters. For example, let's say ISP A wants to exchange routes with everybody but ISP B through the route server. Server B could have got the same route through ISP C, but because BGP only advertises the best route (ISP A), ISP B will end up with no routes to that particular destination.

The first attempt to solve this was to create a Routing Information Base (RIB) for each peer. The problem is that this does not scale, especially when current Internet Exchanges have hundreds of peers connecting to the Route Server. The BIRD solution is to add an option to advertise secondary routes when the best route is filtered. It is clever, but one has to be aware that this breaks the BGP standard. However, as long as it is used with care and confined to an Internet Exchange, it is a very good solution that scales well and simplifies the configuration, which usually means better uptime.

All in all, I am looking forward to attending the next NANOG. Although the event organizers post the videos and presentations online a few weeks after the conference, there is no better way to network with people in the Internet industry than to meet them face to face!